containers: prepare environmentd and clusterd for distroless migration

Move bash entrypoint logic into Rust binaries so environmentd and
clusterd can run in distroless containers without a shell:

clusterd:
- Auto-detect Kubernetes FQDN from /etc/hostname (replaces `hostname --fqdn`)
- Auto-detect StatefulSet ordinal from HOSTNAME env var
- Configure LD_PRELOAD for eatmydata (CI only, no-op in distroless)

environmentd:
- Configure LD_PRELOAD for eatmydata
- Sleep forever after graceful exit (keeps container alive for debugging)

Also add Dockerfile.distroless variants for both services that use the
distroless-prod-base image and expect a static `ssh` binary to be
copied in for SSH tunnel support.

Part of SEC-236.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jasonhernandez

src/clusterd/Cargo.toml

@@ -16,6 +16,7 @@ clap = { version = "4.5.23", features = ["derive", "env"] }
 fail = { version = "0.5.1", features = ["failpoints"] }
 futures = "0.3.32"
 hyper = "1.4.1"
+libc = "0.2"
 hyper-util = "0.1.20"
 mz-alloc = { path = "../alloc" }
 mz-alloc-default = { path = "../alloc-default", optional = true }

src/clusterd/ci/Dockerfile.distroless

@@ -0,0 +1,20 @@
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+
+# Distroless variant of the clusterd image. Requires the entrypoint
+# logic to be compiled into the binary (eatmydata, Kubernetes detection,
+# env var defaults) rather than handled by a bash script. Also requires
+# a static `ssh` binary for SSH tunnel support.
+
+MZFROM distroless-prod-base
+
+COPY clusterd /usr/local/bin/
+COPY ssh /usr/bin/
+
+ENTRYPOINT ["/usr/local/bin/clusterd"]

src/clusterd/src/lib.rs

@@ -47,6 +47,45 @@ mod usage_metrics;
 
 const BUILD_INFO: BuildInfo = build_info!();
 
+/// Resolves a short hostname to its FQDN using `getaddrinfo` with
+/// `AI_CANONNAME`, equivalent to `hostname --fqdn`. Falls back to the
+/// short hostname if DNS resolution fails.
+fn resolve_fqdn(short_hostname: &str) -> String {
+    use std::ffi::{CStr, CString};
+    use std::ptr;
+
+    let Ok(c_host) = CString::new(short_hostname) else {
+        return short_hostname.to_string();
+    };
+
+    let mut hints: libc::addrinfo = unsafe { std::mem::zeroed() };
+    hints.ai_flags = libc::AI_CANONNAME;
+    hints.ai_family = libc::AF_UNSPEC;
+
+    let mut result: *mut libc::addrinfo = ptr::null_mut();
+
+    let rc = unsafe { libc::getaddrinfo(c_host.as_ptr(), ptr::null(), &hints, &mut result) };
+
+    if rc != 0 || result.is_null() {
+        return short_hostname.to_string();
+    }
+
+    let fqdn = unsafe {
+        let info = &*result;
+        if info.ai_canonname.is_null() {
+            short_hostname.to_string()
+        } else {
+            CStr::from_ptr(info.ai_canonname)
+                .to_string_lossy()
+                .into_owned()
+        }
+    };
+
+    unsafe { libc::freeaddrinfo(result) };
+
+    fqdn
+}
+
 pub static VERSION: LazyLock<String> = LazyLock::new(|| BUILD_INFO.human_version(None));
 
 /// Independent cluster server for Materialize.
@@ -171,6 +210,51 @@ struct Args {
 pub fn main() {
     mz_ore::panic::install_enhanced_handler();
 
+    // When running in Kubernetes, auto-detect the GRPC host from the pod's FQDN
+    // and the process index from the StatefulSet ordinal. These are set as env
+    // vars so that clap picks them up as defaults (they can still be overridden
+    // via explicit env vars or CLI args).
+    //
+    // SAFETY: Called before any threads are spawned (main entry point, single
+    // threaded), so modifying env vars is safe.
+    if std::env::var("KUBERNETES_SERVICE_HOST").is_ok() {
+        if std::env::var("CLUSTERD_GRPC_HOST").is_err() {
+            // Resolve the pod's FQDN via DNS, equivalent to `hostname --fqdn`.
+            // In Kubernetes, /etc/hostname only has the short name (e.g.,
+            // "clusterd-0"), but GRPC validation needs the FQDN (e.g.,
+            // "clusterd-0.clusterd.ns.svc.cluster.local"). We resolve the
+            // short hostname through DNS to get the canonical name.
+            //
+            // This avoids shelling out to `hostname --fqdn` which isn't
+            // available in distroless images.
+            if let Ok(short) = std::fs::read_to_string("/etc/hostname") {
+                let short = short.trim();
+                if !short.is_empty() {
+                    let fqdn = resolve_fqdn(short);
+                    unsafe { std::env::set_var("CLUSTERD_GRPC_HOST", &fqdn) };
+                }
+            }
+        }
+        if std::env::var("CLUSTERD_PROCESS").is_err() {
+            // Extract the ordinal index from the StatefulSet hostname
+            // (e.g., "clusterd-0" → "0").
+            if let Ok(hostname) = std::env::var("HOSTNAME") {
+                if let Some(ordinal) = hostname.rsplit('-').next() {
+                    unsafe { std::env::set_var("CLUSTERD_PROCESS", ordinal) };
+                }
+            }
+        }
+    }
+
+    // Configure LD_PRELOAD for eatmydata if requested (CI performance
+    // optimization). In distroless images libeatmydata.so is not available,
+    // so this is a no-op.
+    if std::env::var("MZ_EAT_MY_DATA").is_ok() {
+        unsafe { std::env::set_var("LD_PRELOAD", "libeatmydata.so") };
+    } else {
+        unsafe { std::env::remove_var("LD_PRELOAD") };
+    }
+
     let args = cli::parse_args(CliConfig {
         env_prefix: Some("CLUSTERD_"),
         enable_version_flag: true,

src/environmentd/ci/Dockerfile.distroless

@@ -0,0 +1,20 @@
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+
+# Distroless variant of the environmentd image. Requires the entrypoint
+# logic to be compiled into the binary (eatmydata, sleep-on-exit) rather
+# than handled by a bash script. Also requires a static `ssh` binary for
+# SSH tunnel support and a static `tini` for PID 1 init.
+
+MZFROM distroless-prod-base
+
+COPY environmentd /usr/local/bin/
+COPY ssh /usr/bin/
+
+ENTRYPOINT ["/usr/local/bin/environmentd"]

src/environmentd/src/environmentd/main.rs

@@ -640,13 +640,32 @@ fn aws_secrets_controller_key_alias(env_id: &EnvironmentId) -> String {
 }
 
 pub fn main() {
+    // Configure LD_PRELOAD for eatmydata if requested (CI performance
+    // optimization). In distroless images libeatmydata.so is not available,
+    // so this is a no-op.
+    //
+    // SAFETY: Called before any threads are spawned (main entry point, single
+    // threaded), so modifying env vars is safe.
+    if std::env::var("MZ_EAT_MY_DATA").is_ok() {
+        unsafe { std::env::set_var("LD_PRELOAD", "libeatmydata.so") };
+    } else {
+        unsafe { std::env::remove_var("LD_PRELOAD") };
+    }
+
     let args = cli::parse_args(CliConfig {
         env_prefix: Some("MZ_"),
         enable_version_flag: true,
     });
     if let Err(err) = run(args) {
         panic!("environmentd: fatal: {}", err.display_with_causes());
     }
+    // In the previous bash entrypoint, environmentd would sleep forever after
+    // a graceful exit. This keeps the container alive for debugging. Replicate
+    // that behavior here.
+    eprintln!("environmentd exited gracefully; sleeping forever");
+    loop {
+        std::thread::sleep(std::time::Duration::from_secs(86400));
+    }
 }
 
 fn run(mut args: Args) -> Result<(), anyhow::Error> {